[Dailydave] Sympathy for the Devil

Michal Zalewski lcamtuf at coredump.cx
Fri Apr 6 00:16:48 EDT 2012

> The ethical choices aren't between harming computers or not harming them. The choices are between harming computers or harming people.

Uh, all sides of the debate are guilty of gross exaggeration - both in
terms of the positive / negative impact of that trade, and the profits
involved. And claims like that don't really help.

I don't have any fundamental issue with people getting paid for
vulnerability research. I may take offense if I believe the cause they
are supporting is harmful to me or to the society at large, but it's
seldom that black and white. So for most part, I'm ambivalent.

The most significant problem I see with sales to "friendly
governments" is that from a purely pragmatic standpoint, stuff leaks.
A lot. Perhaps less so if it's used for the development of Stuxnet -
but more so in the infinitely more common case of being passed around
a plethora of private contractors and "vulnerability intelligence"
companies that can't quite configure their PHP+SQL well; or getting
incorporated into "everyday" surveillance tools.

So I'm not exactly happy with the growing body of institutionalized,
weaponized 0-day knowledge, and I think it's a good thing for the
Internet. I don't think it should be regulated, but it's perfectly
fair to call that out.

Now, it's a separate topic that I don't personally think highly of
people who sell to the highest bidder, without giving any
consideration to what happens next - because really, not all of this
is sold to "friendly governments". Again, it should probably be within
their rights to exhibit this opportunistic lack of interest, but then,
they probably shouldn't take offense in hearing an occasional rant.

[ Fitting: http://3.bp.blogspot.com/_JK1WmVzbCkA/StiGD_mhlYI/AAAAAAAAAUE/mpwzM2v32GI/s400/oldman.jpg


More information about the Dailydave mailing list